Re: [Simple-evcorr-users] How to introduce new match variable

2020-02-20 Thread Dusan Sovic 
Hi Risto,

Thank you for your explanation. All works well for me now.
I using SEC v 2.7.12 therefore I see that compilation error with lcall and :> 
operator.

Thank you,
Dusan

Od: Risto Vaarandi 
Odoslané: streda 19. februára 2020 14:52
Komu: Dusan Sovic 
Kópia: simple-evcorr-users@lists.sourceforge.net 

Predmet: Re: [Simple-evcorr-users] How to introduce new match variable

hi Dusan,

you can find my comments below:

>
> I try to add new variable using “context” and :> operator also using “lcall” 
> action but no luck.
> Any idea how to achieve this?
>
> This is what I have produced so far:
>
> Config file: dusko.sec
> 
> rem=Rule 1
> type=Single
> ptype=RegExp
> pattern=^(?\S+) (?\S+)$
> varmap=MY_EVENT
> continue=TakeNext
> desc=Parsing Event
> action=write - R1: Parsing event: $+{EVENT} $+{SEVERITY}
>
> rem=Rule 2
> type=Single
> ptype=Cached
> pattern=MY_EVENT
> context=MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } )
> desc=Introducing new variable
> action=lcall %o MY_EVENT -> ( sub { $_[0]->{"NEW"} = "value" } ); \
> write - R2: NEW = $+{NEW}
>

Rule #2 is not having an expected effect, since SEC rule matching involves 
several steps in the following order:
1) pattern is matched against an incoming event
2) if pattern matched the event, collect match variable values for 
substitutions (e.g., substitutions in 'context' field of the rule)
3) evaluate the context expression of the rule (provided with 'context' field)

If any new match variables are created during step 3, they are not used during 
substitutions within the current rule, since the set of match variables and 
their values were fixed during previous step. However, the match variable would 
be visible in the following rules. In order to make the variable visible 
immediately in the current rule, you can enclose the context expression in 
square brackets [ ], which means that context expression has to be evaluated 
*before* the pattern match (in other words, step 3 would be taken before step 1 
now). For example:

rem=Rule 2
type=Single
ptype=Cached
pattern=MY_EVENT
context=[ MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } ) ]
desc=Introducing new variable
action=write - R2: NEW = $+{NEW}

The use of [ ] operator involves one caveat -- since match variables (e.g., $1 
or $2) are produced by pattern match, they will not have any values yet when 
context expression is evaluated, and are therefore not substituted. However, 
this is not a problem for the above rule, since the context expression in this 
rule contains no references to match variables (such as $1 or $+{NEW}).

>
> Also if I want to replace “->” with “:>” for lcall action:
> action=lcall %o MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } ); \
> write - R2: NEW = $+{NEW}
>
> I got compilation error:
> Rule in ./dusko.sec at line 10: Eval '{"NEW"} = "value" } )' didn't return a 
> code reference: syntax error at (eval 9) line 1, near "} ="
> Unmatched right curly bracket at (eval 9) line 1, at end of line
> Rule in ./dusko.sec at line 10: Invalid action list ' lcall %o MY_EVENT :> ( 
> sub { $_[0]->{"NEW"} = "value" } ); write - R2: NEW = $+{NEW} '

This is because the :> operator for 'lcall' action was introduced in sec-2.8.0, 
and is not supported by previous versions (such as sec-2.7.X). When I tried 
your rule with sec-2.8.2, everything worked fine, but testing it with 
sec-2.7.12 produced the same error message. Therefore I suspect that you have 
an earlier version than 2.8.0, and would recommend to upgrade to 2.8.2 (the 
latest version). But with the above workaround, you would not need 'lcall %o 
MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } )' action anyway.

Hope this helps,
risto

>
> Thanks for any help,
> Dusan
>
> ___
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] How to introduce new match variable

2020-02-19 Thread Risto Vaarandi 
hi Dusan,

you can find my comments below:

>
> I try to add new variable using “context” and :> operator also using
“lcall” action but no luck.
> Any idea how to achieve this?
>
> This is what I have produced so far:
>
> Config file: dusko.sec
> 
> rem=Rule 1
> type=Single
> ptype=RegExp
> pattern=^(?\S+) (?\S+)$
> varmap=MY_EVENT
> continue=TakeNext
> desc=Parsing Event
> action=write - R1: Parsing event: $+{EVENT} $+{SEVERITY}
>
> rem=Rule 2
> type=Single
> ptype=Cached
> pattern=MY_EVENT
> context=MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } )
> desc=Introducing new variable
> action=lcall %o MY_EVENT -> ( sub { $_[0]->{"NEW"} = "value" } ); \
> write - R2: NEW = $+{NEW}
>

Rule #2 is not having an expected effect, since SEC rule matching involves
several steps in the following order:
1) pattern is matched against an incoming event
2) if pattern matched the event, collect match variable values for
substitutions (e.g., substitutions in 'context' field of the rule)
3) evaluate the context expression of the rule (provided with 'context'
field)

If any new match variables are created during step 3, they are not used
during substitutions within the current rule, since the set of match
variables and their values were fixed during previous step. However, the
match variable would be visible in the following rules. In order to make
the variable visible immediately in the current rule, you can enclose the
context expression in square brackets [ ], which means that context
expression has to be evaluated *before* the pattern match (in other words,
step 3 would be taken before step 1 now). For example:

rem=Rule 2
type=Single
ptype=Cached
pattern=MY_EVENT
context=[ MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } ) ]
desc=Introducing new variable
action=write - R2: NEW = $+{NEW}

The use of [ ] operator involves one caveat -- since match variables (e.g.,
$1 or $2) are produced by pattern match, they will not have any values yet
when context expression is evaluated, and are therefore not substituted.
However, this is not a problem for the above rule, since the context
expression in this rule contains no references to match variables (such as
$1 or $+{NEW}).

>
> Also if I want to replace “->” with “:>” for lcall action:
> action=lcall %o MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } ); \
> write - R2: NEW = $+{NEW}
>
> I got compilation error:
> Rule in ./dusko.sec at line 10: Eval '{"NEW"} = "value" } )' didn't
return a code reference: syntax error at (eval 9) line 1, near "} ="
> Unmatched right curly bracket at (eval 9) line 1, at end of line
> Rule in ./dusko.sec at line 10: Invalid action list ' lcall %o MY_EVENT
:> ( sub { $_[0]->{"NEW"} = "value" } ); write - R2: NEW = $+{NEW} '

This is because the :> operator for 'lcall' action was introduced in
sec-2.8.0, and is not supported by previous versions (such as sec-2.7.X).
When I tried your rule with sec-2.8.2, everything worked fine, but testing
it with sec-2.7.12 produced the same error message. Therefore I suspect
that you have an earlier version than 2.8.0, and would recommend to upgrade
to 2.8.2 (the latest version). But with the above workaround, you would not
need 'lcall %o MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } )' action
anyway.

Hope this helps,
risto

>
> Thanks for any help,
> Dusan
>
> ___
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

[Simple-evcorr-users] How to introduce new match variable

2020-02-19 Thread Dusan Sovic 
Hi SEC users,

I want to create / introduce new match variable in my rules.
I search forum posts and found this:

"Once you have cached match results, they become visible across all rules
and you can modify them. In order to do this, you have to use the :>
context expression operator for getting a reference to the set of cached
match variables. Once you have the reference, you can not only modify
individual variables, but you can also delete existing match variables, and
even introduce new variables (for example, $_[0]->{"newvariable"} = 1 would
set the variable $+{newvariable} to 1)."

I try to add new variable using “context” and :> operator also using “lcall” 
action but no luck.
Any idea how to achieve this?

This is what I have produced so far:

Config file: dusko.sec

rem=Rule 1
type=Single
ptype=RegExp
pattern=^(?\S+) (?\S+)$
varmap=MY_EVENT
continue=TakeNext
desc=Parsing Event
action=write - R1: Parsing event: $+{EVENT} $+{SEVERITY}

rem=Rule 2
type=Single
ptype=Cached
pattern=MY_EVENT
context=MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } )
desc=Introducing new variable
action=lcall %o MY_EVENT -> ( sub { $_[0]->{"NEW"} = "value" } ); \
write - R2: NEW = $+{NEW}

Star sec
---
sec -input=- -conf=./dusko.sec -intevents -intcontexts --debug=6

Put this input event:
---
Event1 Normal

Result into:

R1: Parsing event: Event1 Normal
R2: NEW =

Also if I want to replace “->” with “:>” for lcall action:
action=lcall %o MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } ); \
write - R2: NEW = $+{NEW}

I got compilation error:
Rule in ./dusko.sec at line 10: Eval '{"NEW"} = "value" } )' didn't return a 
code reference: syntax error at (eval 9) line 1, near "} ="
Unmatched right curly bracket at (eval 9) line 1, at end of line
Rule in ./dusko.sec at line 10: Invalid action list ' lcall %o MY_EVENT :> ( 
sub { $_[0]->{"NEW"} = "value" } ); write - R2: NEW = $+{NEW} '

Thanks for any help,
Dusan

___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users